On Mon, 27 Jan 2025 at 05:38, Umar Hayat <postgresql.wizard@gmail.com> wrote:
> +1 in github you can enforce a minimum number of reviewers. IMO there
> should be a minimum of two reviewers and one of the reviewers should
> be from the security group/role.
In a perfect world I'd agree, but I don't think there are currently
enough people involved in the project to make two reviewers a
realistic option.
> Though primary risk would be
> introducing new vulnerable dependency but there is no bound to other
> kinds of exploitation. Also github vulnerability scan should be
> enabled by default.
Enabled that now on my Github mirror. I don't think it'll actually do
anything though. We don't pin exact python dependency versions,
because on prod we only use Python dependencies available in Debian
(which should resolve security issues).
